Zeus' coffin not yet closed as domains still living

Three command-and-control (C&C) servers, which are feeding instructions to computers infected with the Zeus trojan, still are operational despite a Microsoft-led effort to disable the botnet, according to researchers at security firm FireEye.

Late last month, U.S. Marshals led the raid on hosting locations in Scranton, Pa. and Lombard, Ill., where they confiscated C&C servers and took down two key IP addresses in the process. In addition, as a result of the seizure, Microsoft assumed control of some 800 domains involved with the servers, a process known as sinkholing.

Atif Mushtaq, a senior staff scientist at FireEye, said in a blog post this week that the company has tracked more than 150 domains used by the botnet. But researchers found that despite the dismantling, three domains associated with Zeus remain live.

Botnets sometimes are able to stay alive by hiding behind fast-flux, or constantly changing, domains, but Mushtaq seems perplexed as to exactly why these three have been so resilient.

"[Microsoft's] main concern should be the three active domains," Mushtaq wrote. "Without these domains completely destroyed, this botnet can not be officially declared as dead."

A Microsoft spokeswoman did not immediately respond to a request for comment.

UPDATE: Microsoft released a statement this evening from Richard Boscovich, senior attorney it its Digital Crimes Unit.

“The command-and-control servers referenced in FireEye's blog post were not seized as part of the March 23 raids. Microsoft intentionally did not target these command and control servers for strategic reasons and believes those servers may be part of the Zeus botnets' fallback mechanism. As we have said before, this was the first action is a long term campaign. Additionally, we have just received court approval to begin looking at the evidence seized as part of the raids and will be sure to share more information when it is available."